* fix https://github.com/acmesh-official/acme.sh/issues/3384
match the issuer to the root CA cert subject

* fix format

* fix https://github.com/acmesh-official/acme.sh/issues/3384

* remove the alt files. https://github.com/acmesh-official/acme.sh/issues/3384
This commit is contained in:
neil 2021-02-13 16:22:31 +08:00 committed by GitHub
parent 9d8cdb5976
commit 12b1916599
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

58
acme.sh
View File

@ -4009,12 +4009,42 @@ _check_dns_entries() {
} }
#file #file
_get_cert_issuers() { _get_chain_issuers() {
_cfile="$1" _cfile="$1"
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
else else
${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 _cindex=1
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
_debug2 "_startn" "$_startn"
_debug2 "_endn" "$_endn"
if [ "$DEBUG" ]; then
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
fi
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
_cindex=$(_math $_cindex + 1)
done
fi
}
#
_get_chain_subjects() {
_cfile="$1"
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
else
_cindex=1
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
_debug2 "_startn" "$_startn"
_debug2 "_endn" "$_endn"
if [ "$DEBUG" ]; then
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
fi
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
_cindex=$(_math $_cindex + 1)
done
fi fi
} }
@ -4022,14 +4052,12 @@ _get_cert_issuers() {
_match_issuer() { _match_issuer() {
_cfile="$1" _cfile="$1"
_missuer="$2" _missuer="$2"
_fissuers="$(_get_cert_issuers $_cfile)" _fissuers="$(_get_chain_issuers $_cfile)"
_debug2 _fissuers "$_fissuers" _debug2 _fissuers "$_fissuers"
if _contains "$_fissuers" "$_missuer"; then _rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
return 0 _debug2 _rootissuer "$_rootissuer"
fi
_fissuers="$(echo "$_fissuers" | _lower_case)"
_missuer="$(echo "$_missuer" | _lower_case)" _missuer="$(echo "$_missuer" | _lower_case)"
_contains "$_fissuers" "$_missuer" _contains "$_rootissuer" "$_missuer"
} }
#webroot, domain domainlist keylength #webroot, domain domainlist keylength
@ -4803,6 +4831,9 @@ $_authorizations_map"
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH" _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
if [ "$DEBUG" ]; then
_debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
fi
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)" rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
_debug2 "rels" "$rels" _debug2 "rels" "$rels"
@ -4818,13 +4849,22 @@ $_authorizations_map"
_relca="$CA_CERT_PATH.alt" _relca="$CA_CERT_PATH.alt"
echo "$response" >"$_relcert" echo "$response" >"$_relcert"
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca" _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
if [ "$DEBUG" ]; then
_debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
fi
if _match_issuer "$_relfullchain" "$_preferred_chain"; then if _match_issuer "$_relfullchain" "$_preferred_chain"; then
_info "Matched issuer in: $rel" _info "Matched issuer in: $rel"
cat $_relcert >"$CERT_PATH" cat $_relcert >"$CERT_PATH"
cat $_relfullchain >"$CERT_FULLCHAIN_PATH" cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
cat $_relca >"$CA_CERT_PATH" cat $_relca >"$CA_CERT_PATH"
rm -f "$_relcert"
rm -f "$_relfullchain"
rm -f "$_relca"
break break
fi fi
rm -f "$_relcert"
rm -f "$_relfullchain"
rm -f "$_relca"
done done
fi fi
fi fi